one of two reports won't accelerate

RVDowning · ‎05-12-2015

I have two reports which are identical with the exception of the earliest modifier. One has earliest="8/22/2014:00:00:00" , the other earliest=-6months. (The names of the reports are also different.)

The former works as expected. I can't get the latter one to accelerate. In Report Acceleration Summaries the one that works says "Pending Updated: 31m ago" and the one that doesn't work says "Building summary - 0% Updated: Never" and that status never changes. I've tried the Rebuild option under the Summary ID and also the Rebuild option under the Normalized Summary ID, but can't seem to get it to work.

Any ideas?

lguinn2 · ‎05-12-2015

There are several valid reasons that this could happen.

If the search returns less than 100K events, Splunk will not create the acceleration summary - it's faster for Splunk to do the search as needed. If the number of events grows to greater than 100K, Splunk will then create the summary. I think this is the most likely reason.

Look at Manage Report Acceleration for more ideas.

RVDowning · ‎05-12-2015

Given that it selected 16,103,292 events I don't think that this is the issue. The one that does work selected 16,943,827 events.

one of two reports won't accelerate

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...